Fleet Add-On • Digital Forensics

Digital Forensics Capability
For Your Regulated MSP Clients

Most MSPs cannot respond to a breach investigation, litigation hold, or expert-witness subpoena because they lack the certification, tooling, and chain-of-custody discipline required for court-admissible evidence. Petronella Technology Group closes that gap as an optional add-on to any Fleet engagement.

Book Discovery Call See Fleet Prototyping Tiers

Why Your MSP Needs Forensics Capability on Retainer

If your MSP serves defense contractors, healthcare providers, financial firms, or any organization under regulatory oversight, you are one incident away from a client asking a question you cannot answer: "Can you preserve the evidence and testify to what happened?"

The answer matters for four reasons that go far beyond technical curiosity:

  • Incident response and breach notification. Regulatory frameworks including HIPAA, CMMC, PCI-DSS, and state breach-notification statutes require documented forensic investigation before notification deadlines trigger. Clock starts at discovery, not at convenience.
  • Compliance evidence. Post-incident, your client's compliance posture is under a microscope. An auditor or assessor will ask for chain-of-custody logs, forensic acquisition records, and a root-cause analysis signed by a credentialed examiner. Internal IT notes do not satisfy that requirement.
  • Legal holds and litigation support. When a client is sued or suing, opposing counsel demands electronically stored information under rules that require forensic-grade preservation. The MSP operating the environment cannot credibly testify about its own work because the conflict of interest destroys credibility on cross-examination.
  • Insurance claims. Cyber-insurance carriers increasingly require forensic reports from a credentialed third party before paying claims. A report from the MSP that managed the compromised environment does not meet that standard.

The structural problem is that building this capability in-house requires a licensed Digital Forensics Examiner, specialized acquisition tooling, evidence-vault infrastructure, and expert-witness courtroom experience. That combination costs years of credentialing effort and six figures annually to maintain for work that arrives unpredictably.

Craig Petronella's DFE Credential and What It Means

Craig Petronella holds DFE #604180, a Digital Forensics Examiner credential that authorizes forensic acquisition, analysis, and expert-witness testimony. The credential is a personal license tied to Craig, not a company certification that can be assigned to any employee.

For your MSP clients, this means:

  • Forensic reports carry a named, credentialed examiner whose qualifications can withstand a Daubert challenge or Frye hearing.
  • Chain-of-custody documentation follows standards accepted in federal and state courts across the Southeast.
  • Expert-witness testimony is delivered by someone with direct courtroom experience, including cases that originated through Petronella's cybersecurity podcast where attorneys sought expert witnesses for active litigation.
  • The examiner operates under PPSB (Private Protective Services Board) oversight as required for investigative work in North Carolina.

Petronella Technology Group has delivered cybersecurity services since 2002, holds BBB A+ accreditation since 2003, and operates from 5540 Centerview Dr, Raleigh, NC. The team includes four CMMC Registered Practitioners in addition to Craig's DFE credential, which matters when a forensic investigation uncovers compliance deficiencies that need immediate remediation.

How the DFE Add-On Works Within Fleet Engagements

Digital forensics is an optional add-on to Petronella Fleet engagements. It is not included by default in any prototyping tier because forensic work is scoped per-incident, not bundled into infrastructure projects. This keeps your base Fleet engagement pricing clean and prevents you from paying for capability you may not need on every deal.

Two engagement models cover the range of forensic needs:

DFE On-Call Retainer

$2,500 per month. Craig Petronella is available as your clients' named forensic examiner with next-business-day response for standard matters and same-day response for active ransomware events. Retainer ensures priority scheduling and eliminates the scoping delay that costs critical hours in an incident.

Time-and-Materials

$350 per hour for forensic acquisition, analysis, and report writing. Expert-witness testimony billed at expert-witness hourly rates with a standard retainer against hours. Suitable for MSPs with infrequent forensic needs who want to pay only when an incident occurs.

Discovery Call Required

Every forensic engagement starts with a free 30-minute Discovery Call to determine scope, timeline, and whether the matter requires direct-to-counsel billing for privilege preservation. No Stripe self-serve link for forensics work because scope varies too widely between incidents.

Use Cases Your MSP Can Position

When you tell a prospective regulated-SMB client that your MSP has a forensics-certified partner on retainer, you immediately differentiate from every competitor whose incident-response plan ends at "we'll call our vendor." Here are the scenarios where that positioning converts to revenue:

Ransomware Response for Defense Contractors

A defense contractor client suffers a ransomware event. DFARS 7012 requires notification to the DoD within 72 hours and preservation of all media for 90 days. The forensic examiner acquires images, reconstructs the attack timeline, prepares the mandatory report, and provides the preserved media that satisfies the DFARS obligation. Your MSP handles containment and restoration. The client sees one coordinated team, not two vendors discovering each other's existence during a crisis.

HIPAA Breach Investigation

A healthcare client discovers unauthorized access to systems containing protected health information. The HIPAA Breach Notification Rule requires a risk assessment to determine whether notification is required, and that assessment must be based on forensic evidence, not assumptions. The forensic examiner documents scope of access, data potentially exposed, and whether encryption or other protections were in place at the time of access. The MSP uses this report to support the client's legal counsel in making the notification determination.

Insider Threat for Financial Firms

A departing employee at a financial services client copies client lists, pricing models, and proprietary trading algorithms before resignation. The firm's legal counsel needs forensic evidence of what was taken, when, and how. The examiner preserves the employee's workstation, analyzes cloud sync logs, and produces a report suitable for a temporary restraining order hearing. The MSP continues to manage the environment and implements the access controls that prevent recurrence.

Expert-Witness Testimony

Your client's attorney needs a technical expert to file a declaration, sit for deposition, or testify at trial about what happened in a cyber incident. The expert must be independent of the MSP that operated the environment because the MSP cannot credibly testify about its own work. Craig Petronella serves as the independent expert while your MSP maintains the client relationship and continues managed services.

What Forensic Work Cannot Be White-Labeled

Forensic findings and expert-witness testimony must carry the licensed examiner's name to be admissible in civil or criminal proceedings. This is not a branding preference; it is a legal requirement. Craig Petronella's DFE license is a personal credential, and his name appears on every forensic report and every piece of testimony.

Your MSP stays in the engagement as the client's primary technology relationship. You introduce the matter, you coordinate logistics, and you continue all managed-services work. Petronella's statement of work names Craig Petronella DFE #604180 as the performing examiner. For active litigation, the engagement is typically structured as a direct contract between the examiner and the client's legal counsel to preserve attorney-client privilege and work-product protections.

Direct-to-counsel billing is not optional packaging. Attorney-client privilege and work-product doctrine typically require the forensic examiner to contract with counsel, not the litigant's business. Petronella walks partners through this structure during the scoping call for every litigation-related matter.
Non-Refundable and No-Guarantee Notice: All forensic engagement fees are non-refundable. No guarantees of forensic findings, litigation outcomes, insurance claim results, or compliance audit results are made or implied. The examiner reports facts as found. Results depend on the evidence available and the circumstances of the matter.

Related Capabilities Within the MSP Partners Program

Frequently Asked Questions

Is the DFE retainer included in Fleet prototyping tiers?
No. Forensics is an optional add-on priced separately at $2,500 per month or $350 per hour time-and-materials. This keeps your base Fleet engagement clean and avoids paying for capability that may not apply to every client deal.
Can we invoice the client ourselves and pay Petronella as a subcontractor?
For pre-litigation forensic work, yes. For active litigation, attorney-client privilege is typically preserved only if the examiner contracts directly with counsel. The partner still keeps the client relationship and receives a referral arrangement. We walk through the mechanics case by case during scoping.
What geographic area does forensic work cover?
Forensic acquisition ships nationwide. Remote acquisition covers most cloud sources including Microsoft 365, Google Workspace, and AWS CloudTrail. Deposition and trial testimony prioritized in NC, SC, VA, GA, and TN. Other jurisdictions handled case by case with travel billed at cost.
How quickly can an engagement start?
Retainer clients get next-business-day response for standard matters and same-day for active ransomware events. Non-retainer engagements start after the scoping call and statement of work, typically within three to five business days of signed agreement.
What if the forensic exam reveals evidence adverse to our client?
Examiners report facts, not conclusions the client prefers. If the examination surfaces evidence adverse to the client, Craig's obligation is to document the facts and coordinate with counsel regarding disclosure duties. This is the fundamental difference between a licensed examiner and an ordinary IT technician.

Add Forensics Capability to Your MSP Practice

Book a free 30-minute Discovery Call to discuss your client base, incident-response needs, and whether the retainer or time-and-materials model fits your practice. Questions? Call (919) 348-4912 or contact us.

Book Discovery Call Apply to MSP Partners